- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Cisco VRF lite on FG with GRE over IPSec
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco VRF lite on FG with GRE over IPSec
Hello all,
I have the following scenario:
- I need to create GRE over IPSec between Cisco and FG 100D due to running BGP over.
- I need to separate global routing table (the IPsec is created on the global routing table) and " BGP domain" routing table
- GRE over IPsec and BGP is already running on my FG, but I have a problem to configure the rest.
- I found that there are VDOM on FG + VDOM link, but I dont understand how to link root VDOM with Customer VDOM and run GRE over IPSec + BGP to this VDOM.
Cisco configuration example - tunnel is based on global routing table, inside of tunnel in within customer routing table:
interface Tunnel1
description GRE tunnel to FG
ip vrf forwarding customer
ip address 10.2.1.1 255.255.255.252
tunnel source X.X.X.X
tunnel destination Y.Y.Y.Y
tunnel protection ipsec profile vpnprof
Fortigate configuration :
edit " ipsec_phase1"
set vdom " root"
set ip Y.Y.Y.Y 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip X.X.X.X
set snmp-index 12
set interface " wan1"
edit " gre1"
set vdom " root"
set ip 10.2.1.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.2.1.1
set snmp-index 13
set interface " ipsec_phase1"
config system gre-tunnel
edit " gre1"
set interface " ipsec_phase1"
set local-gw Y.Y.Y.Y
set remote-gw X.X.X.X
next
Any help would be appreciated.
Thanks a lot in advance.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes Vdoms + vdom links is the right way.
You create a link between the two vdoms and make sure to give the vdom links IP addresses (for example with /31)
Then you can use the links in routing with BGP.
Very straight forward.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Selective,
thanks for the reply. Could you give me an example ?
GRE tunnel FG 10.2.1.2 - 10.2.1.1 Cisco /30
GRE tunnel FG should be terminated in root VDOM or customer VDOM ?
I' m not sure how to bind GRE tunnel with VDOM link and which address add to VDOM link?
Thanks a lot
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry for late respons.
You do not bind the GRE tunnel to a vdom link.
Make the GRE tunnel on one of your VDOMS, (which suits you the most).
Then you can use the vdom links to move traffic between the vdoms.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
" Make the GRE tunnel on one of your VDOMS, (which suits you the most). "
1) If I make the GRE tunnel on " customer" VDOM, Im unable to run GRE over IPSec.
IPSec is bound with WAN interface (with public WAN IP) in " root" VDOM and there is L3 VDOM link in FG.
2) If I make the GRE t. on " root" VDOM, Im able to run BGP over GRE and also between VDOMs, BUT there is a problem with " customers" def. route propagated via BGP in root VDOM. The static one is prefered... Without static one I can' t build up the IPSec. = i.e. deadlock.
PS: If there is something like local policy based routing similar to CISCO everything would be fine. :)
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On #1: why can' t you bind the tunnel to a vdom interface where the customer is at
On #2: a simple prefix-list and filtering would drop any thing that you don' t want to adv or learn
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On #1: why can' t you bind the tunnel to a vdom interface where the customer is atHi, here is my scenario : cisco GRE (10.2.1.1/30 - 10.2.1.2/30 ) FG gre customer VDOM link (10.1.1.1/30 - 10.1.1.2/30) root VDOM ipsec_phase1 interface (Y.Y.Y.Y - X.X.X.X) - Cisco Endpoint WAN link FG (Y.Y.Y.Y - X.X.X.X) - Cisco Endpoint Could you try to help me with configuration ? edit " gre1" set vdom " customer" set ip 10.2.1.2 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.2.1.1 set snmp-index 13 set interface " vlink11" -> the VDOM link within customer VDOM What the GRE tunnel config should be look like ? config system gre-tunnel edit " gre1" set interface " vlink11" ????? set local-gw Y.Y.Y.Y -> WAN ip in root VDOM ???? set remote-gw X.X.X.X next
Related Posts
- IPSEC Tunnel goes down after scheduled... 86 Views
- IPsec phase1 negotiation failes due to... 125 Views
- SDWAN design question 87 Views
- Failover routing to APN 131 Views
- how fortigate SD-WAN ensure both sites... 179 Views
Labels
-
FortiGate
6,647 -
FortiClient
1,326 -
5.2
801 -
5.4
639 -
FortiManager
575 -
FortiAnalyzer
419 -
6.0
416 -
5.6
362 -
FortiSwitch
341 -
FortiAP
338 -
FortiClient EMS
270 -
6.2
251 -
FortiMail
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
156 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
fortilink
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.